tcpdump mailing list archives
problem with caplen<total len
From: "Russ Fink" <russfink () hotmail com>
Date: Fri, 10 Oct 2003 08:03:55 -0400
Hello,I tried to ask this before, but don't believe I was subscribed - sorry if you're seeing it a second time.
I noticed if you use the "-s" option with the "-w" option in tcpdump, this causes a pure truncate of packets which are then stored into the pcap file. Some of the bigger packets are not valid packets in this case, because the IP total length field represents a larger size than was actually captured. For instance, if I have packets that are 1500 bytes, but I set -s 1000, then tcpdump captures 1000 bytes of the packet but the IP total length still says 1500. Additionally, the checksums are not recomputed for the smaller, truncated packet.
Earlier, I thought this was a bug, but the more I think about it, it's really not. A chop is a chop. The original header data should not be changed just because I'm collecting the packets differently.
My question now is, is there any utility you know of that can fix "broken" pcap files - specifically, update the ip header length = caplen, and recompute the various checksums?
Thanks, Russ _________________________________________________________________Get 10MB of e-mail storage! Sign up for Hotmail Extra Storage. http://join.msn.com/?PAGE=features/es
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- problem with caplen<total len Russ Fink (Oct 10)
- Re: problem with caplen<total len Guy Harris (Oct 10)